The newly patched “Venom” vulnerability in virtualization software is “perfect” for any organization targeting bitcoin wallets, private keys and forum passwords, according to Robert Graham, chief executive officer of security firm Errata.
Researchers first discovered the bug through the security firm CrowdStrike, which described Venom as a security vulnerability in the virtual floppy drive code used by computer virtualization platforms. They said:
“This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host.”
“Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.”
CrowdStrike went on to say that the Venom vulnerability could expose access to corporate intellectual property (IP), as well as personal information, potentially impacting the ”thousands of organizations and millions of end users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security, and privacy”.
Graham said the now patched bug was a menace, as attackers would find it easy to exploit, often to lucrative effect. He said it would be a “perfect” bug for an organization such as the National Security Agency (NSA):
“This is a hypervisor privilege escalation bug. To exploit this, you'd sign up with one of the zillions of VPS [virtual private server] providers and get a Linux instance. You'd then, likely, replace the floppy driver in the Linux kernel with a custom driver that exploits this bug. You have root access to your own kernel, of course, which you are going to escalate to root access of the hypervisor.
“Once you gained control of the host, you'd then of course gain access to any of the other instances. This would be a perfect bug for the NSA. Bitcoin wallets, RSA private keys, forum passwords, and the like are easily found searching raw memory. Once you've popped the host, reading memory of other hosted virtual machines is undetectable.”
Graham said it was possible the NSA could buy multiple US$10 VPS instances around the world for US$100K before running the search.
“All sorts of great information would fall out of such an effort -- you'd probably make your money back from discovered Bitcoin alone,” he said.
“I'm not sure how data centers are going to fix this, since they have to reboot the host systems to patch. Customers hate reboots -- many would rather suffer the danger rather than have their instance reboot. Some data centers may be able to pause or migrate instances, which will make some customers happier.”